3. Problem Description
a. Denial of service guest to host vulnerability in a virtual device
A vulnerability in a guest virtual device driver, could allow a
guest operating system to crash the host and consequently any
virtual machines on that host.
VMware would like to thank Andrew Honig of the Department of
Defense for reporting this issue.
http://www.winpcap.org/
II. DESCRIPTION
Local exploitation of an invalid array indexing vulnerability in the
NPF.SYS device driver of WinPcap allows attackers to execute arbitrary
code in kernel context.
The problem specifically exists within the bpf_filter_init function. In
several places throughout this function, values supplied from a
potential attacker are used as array indexes without proper bounds
SYM07-024
September 05, 2007
Symantec SYMTDI.SYS Device Driver Local Denial of Service
Revision History: None
Risk Impact: Low
Remote Access: No
Local Access: Yes
Authentication Required: Yes, to the local system
Debian-specific: no
CVE ID : CVE-2007-2893
Tavis Ormandy discovered that bochs, a highly portable IA-32 PC emulator,
is vulnerable to a buffer overflow in the emulated NE2000 network device
driver, which may lead to privilege escalation.
For the oldstable distribution (sarge) this problem has been fixed in
version 2.1.1+20041109-3sarge1.
For the stable distribution (etch) this problem has been fixed in
I. BACKGROUND
Zone Alarm products provide security solutions such as anti-virus,
firewall, spy-ware, and ad-ware protection. The vsdatant.sys driver,
also known as the TrueVector Device Driver, is the core firewall driver
in ZoneAlarm products. More information is available at the Zone Labs
web site at the following URL.
http://www.zonelabs.com/
These bugs could be locally exploited by a malicious user in order
to gain unlimited access to the system.
Nvcoaft51 driver creates a device named NvcOa without a restrictive
security descriptor, so any user can open it and send control codes
directly to the device driver. Arbitrary code execution at kernel mode
is possible because the code that manages IOCTL's is not bug free.
Detailed information and proof of concept exploit code of a tricky
kernel pool overflow can be downloaded here :
identifies the following problems:
CVE-2009-3939
Joseph Malicki reported that the dbg_lvl sysfs attribute for the
megaraid_sas device driver had world-writable permissions,
permitting local users to modify logging settings.
CVE-2009-4027
Lennert Buytenhek reported a race in the mac80211 subsystem that
